Pain Point #2: Google Workspace DLP Capabilities are Limited

This is a 7 part series that will be released in segments - this second section focuses on why leveraging Google Workspace DLP is not enough. The background sections are the same across all the blogs.

Background

Google Workspace has completely revolutionized the way organizations do business, resulting in increased collaboration, productivity and efficiency. Sounds great, right? The only drawback is that all this collaboration comes with a price: an organization’s security is compromised, overexposed data leads to data loss and financial cost, and an organization’s reputation might suffer irreversible damage.

Google Workspace is NOT a Security Solution

Yes, Google Workspace is a super-productive collaboration platform. But it has critical gaps when it comes to security, especially protecting and accessing your data, authenticating identities, and monitoring compliance. Learn more about strengthening your Google Drive security to mitigate these risks.

Let’s take a closer look at 7 pain points that pose a critical threat to an organization’s security posture:

1. Sensitive company data is overexposed on Google Drive - Google Workspace is susceptible to attacks that potentially compromise sensitive information: a staggering 94% of organizations reported phishing attacks in 2024 (Egress Email Security Risk Report). There’s limited visibility into data access, and it’s impossible to know the exact locations of all sensitive assets across Google Drive, and how they’re exposed. Overexposure of sensitive data opens the door to data exfiltration and even malicious data breaches.

2. Google Workspace DLP capabilities are limited - They cannot prevent your employees from exfiltrating data through their personal accounts, sharing with external collaborators, or downloading data to endpoints. File sharing permissions are view or edit only, and Google Workspace lacks native tools to prevent sensitive data loss, resulting in unauthorized sharing and potential leakage. It’s difficult, if not impossible, to remediate overexposure of large volumes of data.

3. Insider threats and identity challenges - Employees are said to be the weak link in an organization’s security chain, and leaving or disgruntled employees can pose the biggest threat. It’s relatively easy for about-to-leave employees to download large volumes of assets, or worse, delete files. A Google Workspace vulnerability recently allowed hackers to bypass the email verification step when creating accounts, and impersonate legitimate account owners. Even more threatening is that Google’s domain-wide delegation can unintentionally give users unauthorized access to an entire Workspace domain.‍

4. Google labels alone don’t prevent data loss - On the one hand, Google labels help to organize, find, and apply policies to files in your Drive. But the more Google labels your organization has, the harder it is to search for specific assets. Google labels don’t provide granular access control. Your organization still needs robust permission settings to ensure sensitive documents aren't accidentally exposed or shared with unauthorized parties.

5. Malicious or unsanctioned 3rd party shadow apps - The average organization uses over 1200 apps, increasing the potential attack surface. If not properly managed, the proliferation of shadow apps installed in your Google Workspace increases the probability of unauthorized access.

6. Challenge of meeting compliance requirements across Google Workspace - Google Workspace’s default settings don’t necessarily meet strict regulation requirements, such as GDPR, CCPA and HIPAA. To ensure compliance,  organizations need to invest in manual effort or third-party tools.‍

7. Difficulty in pinpointing your riskiest use cases and security threats across the organization - With so much data at our fingertips, it becomes a challenge to differentiate high-risk user behavior from medium- or low-risk. We need to know clearly what use cases and anomalies we’re looking for before we can actually see it.

There is a solution. You can bridge your Google Workspace security gaps seamlessly with DoControl, an agentless automated solution that remedies each pain point with ease, without impacting your productivity.

Most security solutions on the market will protect your organization’s endpoint - be it a laptop or mobile device - from being attacked and infecting the entire organization. But these solutions don’t take into account, or even correlate, the user’s behavior across SaaS apps. DoControl connects the data dots between Google Workspace and all your SaaS apps, including Slack, HRIS and IdPs, to provide your organization with a robust security solution based uniquely on enriched data context.

Paint point #2: Google Workspace DLP capabilities are limited

Challenge: 

Even after implementing Google Workspace DLP, my company found that more than half of our sensitive assets were being exposed both to external parties and through public links. We’re not talking about a few Google Drives with sensitive files, but thousands of files across our organization. It was impossible to remediate this type of grand-scale overexposure in a timely way.

Solution: 

DoControl is a scalable solution that protects large volumes of business-critical data from being overexposed in real time. Using advanced tools like NLP and data-enriched business context, DoControl alerts you to risky overexposure as it happens and triggers automated remediation. Only with DoControl can you remediate historical overexposure in bulk, and implement granular access controls to prevent future overexposure, without reducing productivity.  

How does Google Workspace DLP work?

Data Loss Prevention (DLP) in Google Workspace is a cloud security service that aims to protect your corporate Google Drive assets containing sensitive data, such as personal identifiable information (PII), financial data, intellectual property, and access credentials. 

Every time you add or edit files in Google Drive, you trigger a DLP scan that searches for sensitive content, based on rules defined by Google Workspace admins. If sensitive data is found, a relevant remediation action can be automatically applied, such as:

• Blocking the file from leaving your organization
• Warning end users not to share sensitive data outside your organization
• Encrypting a file, or alerting your security team
• Disabling copy, download or print functions
  

For example: A DLP rule will detect credit card numbers based on major card format patterns. If a credit card number is found in a document, it will be blocked from sharing.

To boost DLP capabilities, Google Workspace recently launched an AI component that automatically generates labels for your Google Drive assets. A specific label, like confidential or proprietary, will trigger a remediation action.

Limitations of Google Workspace DLP

As a first step, Google Workspace DLP can detect sensitive information, but not always accurately. Its remediation actions are broad and blunt, and don’t address a wide range of use cases in a granular way.

One-size-fits-all DLP reduces productivity

Google Workspace DLP employs a one-size-fits-all protection policy, where the same remediation action is applied to all files with a specific label. When Google Workspace DLP restricts all sensitive files from being shared outside a specific department, it leads to reduced productivity and awkward situations. For example, due diligence and review processes usually involve external contractors who need to access sensitive files. If these files are blocked for sharing, it creates huge overhead to undo the access restrictions. In short, Google DLP is just not granular enough to remediate specific sharing cases.

Data exfiltration happens

Rules in Google Workspace DLP cannot prevent your employees from exfiltrating data through their personal accounts, sharing with external collaborators, or downloading data to endpoints. Unauthorized sharing and potential leakage can still happen. 

It takes a long time to scan your entire Google Drive

When you add new files in Google Drive, they’re scanned almost immediately. But when you first implement DLP,  or modify DLP rules, it can take a very long time - up to days - to scan your entire asset inventory. During the time it takes for DLP to complete the scanning process, your files are not protected and continue to be overexposed.

Not all file types can be scanned

Google Workspace DLP scans all docs, sheets and slides in your organization’s drive, but not video or audio files. File comments, that might contain sensitive information, are also not scanned. File scanning is limited to the first 1MB of each file. So if sensitive data appears after the first 1MB of content, it won’t be classified as sensitive. Files larger than 50MB are not scanned at all.

False positives for sensitive content

Google Workspace DLP uses regular expressions to detect sensitive data, resulting in a high number of false positives. Exact word matches in DLP have very rigid definitions, causing a statistically significant percentage of false negatives. Even Google does not guarantee to detect and flag all your sensitive content.

No bulk remediation for overexposed files

It’s impossible to remediate overexposure of large volumes of files using Google Workspace DLP. Once files are shared with external parties or publicly, they cannot be unshared. To remediate historical overexposure, you need to complement Google Workspace DLP with additional tools or manual processes. With DoControl, you can instantly secure all your data across your Google Workspace ecosystem. 

Only DoControl remediates historical overexposure in bulk

As your organization grows and the volume of your Google assets increases exponentially, managing file permissions across your Google Drive becomes a daunting task. 

Not anymore. With DoControl, you can clean up all your historical exposure in Google Drive with a few clicks. 

DoControl’s bulk remediation is unique and powerful, and offers these capabilities: 

• Scalable remediation is unique to DoControl. You can address your overexposure challenges more effectively and speedily by remediating hundreds of thousands of asset permissions at the same time.
• Time-saving bulk remediation removes excessive asset permissions in minutes rather than days. This is a massive time-saver if your organization has thousands or millions of assets.
• Permissions of archived users can be remediated in bulk, allowing you to easily clean up exposure backlogs of terminated Google users 
• Transparent handling of inherited permissions allows you to see exactly which asset permissions will be remediated. When it comes to remediating Google assets in shared drives, you need to consider assets that inherited their permissions from a parent folder. 

Have a large permission gap that you need to close quickly: a terminated employee, or incident response?

No problem. Just filter your Google asset inventory to pinpoint your exposure, and remediate. Remediation actions include removing specific external collaborators, removing public sharing links, removing org-wide sharing, changing asset owners, and more.

Remember, with DoControl you’re remediating only permissions. Your Google assets remain intact.

DoControl playbooks automatically remediate future exposure

With DoControl, you can define automated workflows to detect and remediate future file exposure in Google Drive. Our workflows are granular, giving you full access control for an infinite number of use cases.

To make life even easier, DoControl offers a large number of customizable playbooks that are pre-populated for risky event types in Google Drive:

Encryption key sharing

Publicly sharing encryption keys means they are accessible to anyone on the web. This increases the risk of data exfiltration, since anyone can see these keys and potentially use them to access sensitive data in your organization. With DoControl playbooks, you can:

• Notify when an external user uploads encryption keys to Google Drive
• Remove any public sharing links from encryption keys

4th party sharing

Sharing with 4th parties opens the company to potential data exfiltration, since data is shared with an unvetted party who hasn’t passed any security assessment. DoControl playbooks allow you to:

• Notify your security team when a 3rd party shares an asset with a 4th party in Google Drive
• Automatically remove any 4th party collaborators from the asset

External sharing

Externally shared assets can be accessed by specific users outside of the organization. You need to be careful that internal or sensitive data is not exposed. With DoControl playbooks, you can:

• Remove access when assets are no longer needed by the parties with whom they were shared
• Remediate external sharing with 3rd party vendors or private accounts
• Remediate external sharing of PII, files with sensitive Google labels, or sensitive regex content
• Remediate external sharing if a user has active alerts

Public sharing

Publicly shared assets means they are now accessible to anyone on the web. Public sharing can cause significant damage if exposed documents reach someone with malicious intent. Leverage DoControl playbooks to:

• Remove public sharing links of PII, or files with sensitive Google labels
• Auto-expire public sharing after 30 days
• Notify and remediate publishing files to the web

Internal collaborator sharing

Weak access controls and legacy permission systems open the door for insider threat. Malicious actors with access to company assets can easily exfiltrate sensitive data, and cause significant damage to your organization. With DoControl playbooks, you can:

• Auto-expire cross-team collaboration
• Remove cross-team collaboration

Malware propagation prevention

The risk of malware infecting your organization's SaaS platform is a critical data breach, where sensitive information is accessed without authorization, or even worse, stolen and deleted. Leverage DoControl playbooks to:

• Notify when a ransomware encryption file is uploaded

Asset monitoring and isolation

When your organization has a set of known assets with sensitive or company-confidential content, it's in your interest to protect this content from overexposure. With DoControl playbooks, you can:

• Notify on viewing, uploading or downloading a file
• Remediate external sharing in a specific folder
• Remove public sharing from a specific folder

Private account sharing

Data shared with unauthorized, non-business contacts could be an attempt to exfiltrate data. Leverage DoControl playbooks to:

• Auto-expire sharing with private accounts
• Remove sharing with private accounts, especially when offboarding

IT and security operations

Passwords provide the first line of defense against unauthorized access to your organization, and protect your system assets from hackers and malicious software. With DoControl playbooks, you can:

• Add external domains to your trusted domain list after sharing files
• Notify about a suspicious login from a non-trusted IP
• Remediate a suspended employee's personal email access to Google Drive

Shadow apps

Shadow apps installed in your Google Workspace can gain permission to read, write, and delete sensitive data – all of which can negatively impact your security, business, and compliance risk. Leverage DoControl playbooks to:

• Remove installed shadow apps with risky permissions
• Remove unclassified shadow apps

Sensitive data movement

Any personal or classified information shared to public locations will remain exposed forever, allowing anyone to access or use the information. Leverage DoControl playbooks to:

• Notify when an about-to-leave employee downloads sensitive files

Personal account sharing

Personal sharing occurs when employees give themselves access to organizational assets through their own personal email accounts. This opens the door to exfiltration during and even after their employment. Leverage DoControl playbooks to:

• Remove sharing with an employee’s personal email
• Remediate a suspended employee's personal email access to Google Drive

With DoControl’s pre-defined workflows, you can automate granular file-level enforcement across your organization’s entire Google Drive. What’s more, extend these workflows to communicate with your SOAR, SIEM, and ITSM platforms. 

DoControl leverages NLP and events for real-time detection

DoControl utilizes a context-based DLP solution to distinguish between acceptable business scenarios and risky security issues, dramatically reducing the probability of false positives.

NLP scans for sensitive data types

Natural language processing (NLP) is leveraged for real-time discovery, classification and protection of sensitive data types in your Google Drive, including PII, PHI, PCI, AWS secrets, encryption keys, and credentials. In addition, DoControl leverages data-enriched business context originating from IdP, EDR and HRIS systems. 

Event monitoring with context

DoControl is an event-based solution, and provides near real-time identification of potential data breaches and exposures. When you subscribe to Google Workspace webhook activity, DoControl generates real-time events and alerts for end-user activity, such as external and public file sharing, encryption key uploads, endpoint malware detection, sharing with personal and private emails, suspicious access activity from non-trusted IPs, and actions performed by third-party apps in your Google environment. 

With real-time detection, you can immediately alert your security team and take automated steps to directly remediate any overexposure. 

For example: If an employee in the sales team downloads a large number of files, and your HRIS indicates this employee is about to leave, DoControl alerts the relevant manager and your security team immediately.

Employee engagement reduces overexposure over time

DoControl engages directly with employees and their managers in their preferred communication channel to prevent inappropriate sharing activities. We notify security teams about external or public sharing, and include employees in the remediation process if possible, asking them to approve or reject risky actions. This boosts security awareness and reduces the likelihood of incidents in the future.

Take-away

It’s DoControl’s mission to prevent data loss, and automatically remediate any overexposure of organizational data. The velocity of asset changes and exponential file growth in your Google Drive make data leakage a real threat. But with DoControl you can guarantee in-time protection for all your sensitive data.

Context-based data classification means that no sensitive data goes undiscovered, and granular automated workflows will remediate any detected threat in near real-time. DoControl protects your data even when you sleep.

FREE Google Workspace Risk Assessment

The first step in securing your Google Workspace is to assess and understand your risks. That's why we offer a free Google Workspace risk assessment that provides the insights you need to identify existing risks and determine the actions required to mitigate them.

If you are interested, feel free to reach out to our team - click here.